Bug Report - Personal Access Tokens

Hey, hope this is the right place or that I can directed to the right place. We think we’ve just discovered a bug that affects account permissions on personal access tokens. When editing an existing token’s permissions, specifically adding write:packages permissions, repo permissions are revoked on Update. Note that only this specific interaction causes this. It appears that you can re-apply repo permissions on a subsequent update without issue, but I figure the revocation is not intended functionality.

So, workflow:
Settings > Developer Settings > Personal access token
Note $yourToken’s permissions in italics. repo should be present
Click on $yourToken, add write:packages , Update token.
Note $yourToken’s permissions in italics. repo is now missing and write:packages is present
Click on $yourToken again, re-add repo , Update token.
Note $yourToken’s permissions in italics. It should read repo, write:packages

We have come across a similar issue with Personal Access Tokens and the write:packages permission. If you perform the authentication process with docker login and use a newly created token, the authentication process returns as successful but docker pull is denied.

Workflow:

  1. Create a new token with write:packages at the github tokens page
  2. Copy the token to your clipboard
  3. in a shell run, docker login https://docker.pkg.github.com -u GITHUBUSERNAME and paste in the token
  4. in the same shell do a docker pull docker pull docker.pkg.github.com/OWNER/REPO/KNOWN_EXISTING_IMAGE:KNOWN_TAG

The following error appears:

Error response from daemon: unauthorized: Your request could not be authenticated
by the GitHub Packages service.  Please ensure your access token is valid and has
the appropriate scopes configured.

To remedy this, the following works:

  1. Go back to the github tokens page
  2. open the SAME token up and click on Regenerate Token
  3. in a shell, docker logout https://docker.pkg.github.com
  4. in a shell, docker login https://docker.pkg.github.com -u GITHUBUSERNAME
  5. use the NEW token as the password
  6. in a shell docker pull docker pull docker.pkg.github.com/OWNER/REPO/KNOWN_EXISTING_IMAGE:KNOWN_TAG

n.b. It is important that you regenerate the same token otherwise this does not work with a brand new token.

Hi @eadderley-tc - Thank you for reporting this bug. It certainly isn’t the intended behavior. I’ve created an issue on our side to fix.